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Abstract. A fully abstract and universal domain model for modal transition systems and 
refinement, developed in |27| . is shown to be a maximal-points space model for the bisim- 
ulation quotient of labelled transition systems over a finite set of events. In this domain 
model we prove that this quotient is a Stone space whose compact, zero-dimensional, and 
ultra-metrizable Hausdorff topology measures the degree of bisimilarity and that image- 
finite labelled transition systems are dense. Using this compactness we show that the set 
of labelled transition systems that refine a modal transition system, its "set of implemen- 
tations," is compact and derive a compactness theorem for Hennessy-Milner logic on such 
implementation sets. These results extend to systems that also have partially specified 
state propositions, unify existing denotational, operational, and metric semantics on par- 
tial processes, render robust consistency measures for modal transition systems, and yield 
an abstract interpretation of compact sets of labelled transition systems as Scott-closed 
sets of modal transition systems. 



Labelled transition systems are a fundamental modelling formalism in many areas of 
computer science and one often needs to compare two or more such systems in applications. 
For example, in doing state compression prior to model checking one wants to ensure that 
the compressed system yields the same model checks as the uncompressed one. Similarly, if 
one system is a specification and another one its implementation, then program correctness 
can be established by proving these systems to be equivalent. By the same token, if two 
systems are not equivalent, one may want to know to what degree this is so, e.g. in a risk 
analysis of a safety-critical system. 

This paper chooses bisimulation as the notion of equivalence of labelled transition sys- 
tems.^ Bisimulation is an established, sufficiently fine-grained notion of equivalence between 
labelled transition systems [SHI so any approximative notions, e.g. testing [HTj, have bisimu- 
lation as a well accepted point of reference. Since quantitative aspects ought to be invariant 
under bisimulation, we stipulate that the quotient of all labelled transition systems with 
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respect to bisimulation is the right conceptual space for reasoning about and comparing 
quantitative aspects of labelled transition systems. 

If two labelled transition systems are not bisimilar, one may require a quantitative 
measure of such differences and such a measure has many applications. We mention security 
protocols [Sni! where one system is the specification and the other is an implementation 
and where we may wish to quantify illicit information flow ^S] or the effort needed to 
expose implementation flaws; modal specifications [32]) where a specification captures a 
possibly infinite set of mutually non-bisimilar labelled transition systems; and requirements 
engineering ^H], where each system may be the modal specification of a particular viewpoint 
and consistency measures on modal specifications are sought. 

One principal aim of this paper is to unify several strands of established work in one 
integrated framework: metric semantics of processes a la Bakker & Zucker use of 
Hennessy-Milner logic, domain theory and transition systems a la Abramsky pQ; means of 
under-specifying and refining processes a la Larsen & Thomsen j33j : and representations of 
classical topological spaces as maximal-point spaces of domains a la Lawson ||34j. To that 
end, we use a domain B, defined in ,22| and shown to be a universal model for finitely- 
branching modal transition systems and fully abstract for their refinement in loc. cit. 

Specifically, we discover that the metric induced by the Lawson topology on D is a 
generalization of the one in ^21 to modal transition systems; that the subspace of maximal 
elements of B is a Stone space with respect to the Lawson (or Scott) topology; and that this 
Stone space is an isomorphic representation of the quotient of all labelled transition systems 
modulo bisimulation, so the topology and metric carry over to that quotient. Since a Stone 
space has a complete ultra-metric, our model has labelled transition systems that are not 
image-finite, allowing the modelling of continuous state spaces, but all labelled transition 
systems can be approximated by image-finite ones to any degree of precision. 

The compactness of this quotient space then makes it possible to study the topological 
structure of sets of implementations for modal transition systems, the second principal aim 
of this paper. In particular, our topological analysis shows that 3-valued model checking 
El reasons about compact sets of labelled transition systems, namely the set of all 2- 
valued refinements of a given 3-valued system. We propose two measures, a pessimistic 
and an optimistic one, for how close any refining labelled transition systems of two such 
3-valued systems can be. Using compactness, we prove that the optimistic measure is zero 
iff the two 3-valued systems in question have a common refinement. 

Our concepts and results are also robust under a change of representation, e.g. in moving 
from event-based to state-based systems or those that combine state and event information. 
It would be of interest to see whether results similar to the ones of this paper are obtainable 
for systems that explicitly represent time, probability (e.g. as done in ^31 El) or other 
quantitative information. 

Outline of this paper: In Section [21 we review modal transition systems, their refine- 
ment, and a fully abstract domain model for these notions. Section |21 establishes the central 
result of this paper, showing that the maximal-points space of the fully abstract domain of 
Section 121 is a Stone space and the quotient of all labelled transition systems with respect to 
bisimulation. In Section 0] we give three applications of the compactness of this maximal- 
points space: a compactness theorem for Hennessy-Milner logic on compact sets of imple- 
mentations, an abstract interpretation of compact sets of implementations as Scott-closed 
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sets of modal transition systems, and a robust consistency measure for modal transition 
systems. Section |S1 states related work, and Section IHl concludes. 

2. Domain of modal transition systems 

Modal transition systems are defined like labelled transition systems, except that 
transitions come in two modes that specify whether such transitions must or may be imple- 
mented. A refinement relation between modal transition systems therefore associates to a 
modal transition system those refining labelled transition systems in which all implementa- 
tion choices have been resolved. In this section we formalize these notions and present the 
domain of j2Zl as a faithful mathematical model of the model-checking framework of modal 
transition systems. 

2.1. Mixed transition systems and refinement. We define Larsen & Thomsen's modal 
transition systems ^33^, their refinement and other key concepts formally and present the 
domain D which is a fully abstract model of such systems and their refinement [2Z|- Our 
results are shown within that domain. In this paper, let {a, (3, ■ ■ ■ €)v4ci be a fixed finite 
set of events and {w,w' , ■ ■ ■ G)Act* the set of finite words over Act with e denoting the 
word of length zero. The labelled transition systems considered here have events from Act 
only. The structural properties of our domain model require that we also define Dams' more 
general notion of mixed transition systems O . 

A modal transition system M has two transition relations R"',R'^ C S x Act x S on 
a set of states S. The sets R"' and S x Act x T, \ R'^ specify contractual promises or 
expectations about the reactive capacity and incapacity of implementations, respectively. 
These guarantees are to be understood with respect to the refinement of states. We write 
"a" in i?" to denote asserted behavior and "c" in R'^ to denote consistent behavior and use 
these annotations in judgments and \='^ below with the same meaning. 

Example 2.1. In Figure ^ we see a contractual guarantee that any state refining Drinks 
cannot have a transition labelled with newPint to a state refining Talks as the triple 
(Drinks, newPint, Talks) is not in R^. There is a contractual guarantee that any state 
refining Waits has a i2'^-transition labelled with newPint to all states that refine Drinks or 
Talks. 

Definition 2.2. 

(1) • A mixed transition system (HI is a triple M = (T,, R"' , R'^) such that, for 

every mode m E {a, c}, the pair is a labelled transition system, i.e. 

R'^ CT,x Actx S. 

• If R"" C R^, then M is a modal transition system !33_. 

• We call M image-finite iff for all s G S, a E Act, and m G {a, c} the set 
{s' G S I {s,a,s') € i?™} is finite. 

• A mixed transition system M with a designated initial state i is pointed, written 
iM,i). 

• We call elements of R"^ must-transitions and elements of R'^\R"' may-transitions. 

(2) Let M = (S, R"", R'^) be a mixed transition system. 

• A relation Q C S x S is a refinement within M |33l IH] iff {s,t) G Q implies, for 
all a G Act, 

(a) if {s,a,s') G R"", there exists some {t,a,t') G i?" such that {s',t') G Q; 
and 
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Figure 1: An image- finite modal transition system specifying aspects of "pub behavior." 



(b) if {t,a,t') £ R^, there exists some {s,a,s') G i?*^ such that {s',t') G Q. 

• We write s -<m t or s ^ t if there is some refinement Q with (s, t) € Q. In that 
case, t refines {is abstracted by) s. 

• States s and t are refinement- equivalent iff {s~<t and t~<s). 

• Let {M,i)~<{N, j) mean that j refines i in the mixed transition system that is 
the disjoint union of M and A^; {M,i) and {N,j) are refinement-equivalent iff 
i and j are refinement-equivalent in that union. 

• The implementations of (M, i) are those pointed modal transition systems with- 
out may-transitions that refine (M, i) . 



As the union ~<m of all refinements within M is also a refinement within M, -<m is the 
greatest refinement relation within M. Please note that we use the relational inverse of 
the Q in ^ 22i, as done in J^, so our {M,i)^{N,j) is written as {N,j)^{M,i) in 
|27j . Larsen & Thomsen's modal transition systems and their refinement [13] are partial 
versions of labelled transition systems and bisimulation [^S]- A modal transition system 
represents those labelled transition systems that refine it, the implementations of M. This 
representation is sound, for if a modal transition system M refines a modal transition system 
N, all labelled transition systems that refine M also refine A as ^ is transitive. 

Example 2.3. 

(1) Figures n and 111 depict modal transition systems, where dashed and solid lines de- 
pict may-transitions and must-transitions, respectively. The refinement Q identifies 
states with the same activity; e.g. Drinks with TomDrinks and BobDrinks etc. 

(2) The mixed transition system on the left of Figure 0] is not a modal transition system 
but is refinement-equivalent to the modal transition system on the right of Figure EI 

Remark 2.4. We may identify modal transition systems (S, R, R) with labelled transition 
systems and refinement between such modal transition systems with bisimulation 

|33' and will freely move between these two representations of labelled transition systems 
and bisimulation subsequently. 

2.2. The interval domain as an allegory. Before we present the domain model for 
refinement of modal transition systems we use Scott's interval domain [IJ as a motivating 
example that features most of the desirable properties of our domain model. 

Example 2.5. Figure|31shows the interval domain and its ordering: [r, s] < [r', s'] iff (r < r' 

and s' < s). In that case we say that [r', s'] refines [r, s]. 

The interval domain nicely illustrates some of the properties we expect our domain 
model B to have. 
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Figure 2: An image- finite modal transition system that refines tlie one in Figure ^ 



Figure 3: A schematic description of the interval domain and its order: [r, s] < [r', s'\ iff 
(r < r' and s' < s). 

(1) Refinement is complete for implementations: Real numbers x G [0, 1] repre- 
sented as intervals [x, x] are the "implementations" of intervals, so [r, s\ has all [x, x\ 
with X G [r, s] as implementations. One can easily see that [r, s\ is refined by [r', s'\ 
iff all implementations of [r',s'] are also implementations of [r, s]. 

(2) Universality: The interval domain I is universal for worst /best-case abstractions 
of subsets of [0, 1] . If we abstract X C [0, 1] by the interval [/\ X,\/ X] € I, any 
element of I is the abstraction of at least one such X. In fact, there is a Galois 
connection a: P([0, 1])°p ^ I and 7: I ^ P([0, 1])°p where a{X) = [/\X,\J X] is 
the monotone abstraction function, 7([r, s\) = [r, s] is the monotone "concretization" 
function, and a o 7 = idi and 7 o a < idp([o,i])°p- 

(3) Full abstraction: The order on I coincides with the refinement relation as the 
latter means reverse containment of implementations by item (1) above. 
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(4) Classical space as maximal-points space: The set [0, 1] equipped with the com- 
pact EucUdean topology is isomorphic as a topological space to the set of maximal 
elements of I in the topology induced by the Scott- or Lawson-topology of I. 

(5) Denseness of computable structures: Intervals with rational endpoints approx- 
imate intervals to any degree of precision. 

(6) Consistency measure: The map c: I x I ^ I U {_L} defined by c([r, s], [r' , s']) = 
[max(r, r'), min(s, s')], where [x, y] is understood to be _L if x ^ y, tells us whether its 
inputs are consistent with each other by checking whether its output is different from 
_L. Non-overlapping intervals cannot possibly approximate the same real number. 

The domain model B for refinement of modal transition systems jjjj has similar proper- 
ties which we discuss briefly here prior to their technical development in this paper. The 
completeness proof for implementations for refinement of modal transition systems does not 
depend on the compactness of max(B), is non-trivial, and presented elsewhere |2H]. Univer- 
sality amounts to showing that every modal transition system has a refinement-equivalent 
embedding in the domain B. Full abstraction means that the order on B equals the great- 
est refinement relation on B interpreted as a modal transition system. The maximal-points 
space max(B) of B gives us a precise model of labelled transition systems and their notion 
of "nearness." This space turns out to be the quotient of labelled transition systems with 
respect to bisimulation such that the familiar metric based on tests expressed in Hennessy- 
Milner logic |SZ1 induces the topology on that space. Finite-state labelled transition systems 
are shown to be dense in this space. Finally, the compactness of this space is proved and a 
monotone consistency measure 

c:BxB^I (2.1) 

between two modal transition systems is then derived thereof. Said compactness then 
renders a Galois connection between compact sets of implementations and Scott-closed sets 
of modal transition systems as shown in Theorem 14.61 below. Apart from these similarities 
with I, a key difference is that B is algebraic and that the maximal-points space is therefore 
zero-dimensional. 

2.3. The domain model for refinement of modal transition systems. The reader 
familiar with domain theory 2 may safely skip the next definition. 

Definition 2.6. 

(1) • A topological space {X,t) consists of a set X and a family r of subsets of X 

such that {} and X are in r, and r is closed under finite intersections and 
arbitrary unions. 

• Elements O (z t are r-open, complements X \ with O E r are r-closed, and 
sets that are r-open and r-closed are r-clopen. 

(2) • A subset ^ of a partial order {D,<) is directed iff (for all a, a' & A there is 

some a" € A with a, a' < a"). 

• A partial order (Z), <) is a dcpo iff all its directed subsets A have a least upper 
bound V A. 

• We write 

ub{A) = {u e D \ "ia e A: a < u} 
for the set of upper bounds of A. 
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• We denote by 

mub{A) = {n G ub{A) \ Mu' e uh{A) : u' < u ^ u = u'} 

the set of minimal upper bounds of A. 

• An element k (z D is compact in a dcpo D iff (for all directed sets A of D 
with k <\J A there is some a ^ A with k < a). We write K(D) for the set of 
compact elements of D. 

• A dcpo D is algebraic iff for all d G D the set {k G K(L') | /c < d} is directed 
with least upper bound d. 

• For a finite subset F of D define, for all n > 1 

mub^{F) = mub{F) 
mu6"+^(F) = mub{mub'\F)) 
mub°°{F) = IJ mM6"(F) . 

n>l 

• A bifinite domain, also known as an S'FP-domain, is an algebraic dcpo D such 
that for every finite subset F C K(Z)) the set mub°°{F) is finite, contained in 
K(L'), and ub{F) = ]mub{F) where for any X C. D we write 

]X = {deD\3x€X: x<d} iX = {d e D \ 3x e X : d < x} 

• We call X upper iS X = ]X; lower iff X = jZ. 
(3) For a bifinite domain D, we define 

• the Scott-topology aD to consist of all subsets U oi D satisfying 

u = T(c/nK(Z))) 

• the Lawson-topology Xd to consist of all subsets V oi D such that x G V implies 
the existence of some k, I G K(D) with x G jA; \ |/ C 1/; and 

• the ao-compact saturated subsets of D to be the A^-closed upper subsets of D. 

The definitions of item (3) above are really characterizations 2 . We use the initial 
solution D of a domain equation, presented in |27j and denoted by T> in loc. cit., as the 
domain whose set of maximal points we prove to be the Stone space of pointed labelled 
transition systems modulo bisimulation. The items (2) and (3) of Definition 12.71 below are 
Definition 8 and 9 of [23, respectively. 

Definition 2.7 ( 27). 

(1) The mixed powerdomain M-[D] |23 | I22j of a bifinite domain D has as elements all 
pairs {L,U) where L is cr/j-closed and U is cxD-compact saturated such that L and 
U satisfy the mix condition 

L = liLnU) . (2.2) 
The order on M. [D] is defined by 



(L, U) < (L', U') iff (L C L' and U' C U) 



(2.3) 
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Figure 4: On the left: a mixed transition system (T,, R'^ , R^) satisfying the mix condition 
(MC). Dashed hnes denote elements of R^ and solid lines denote elements of R"'. 
For (s, a, s') € R"- there is (s, a, s") e R°'nR'' with s'^s". The other tuple in R°' 
is matched by itself as it is in R"^ n R^. On the right: a modal transition system 
that is refinement-equivalent to the mixed transition system on the left. Its set 
of must-transitions is R"" D R^ (solid lines) and its set of may-transitions is R^ 
(solid or dashed lines). 



(2) Since A1[-D] is a bifinite domain whenever D is bifinite and since the functors M 
and W are locally continuous [23 Hi ■, we can solve the domain equation 

Z)= M[D] (2.4) 

a&Act 

over bifinite domains where HagAci denotes the product functor over all events in 
Act^ and write B for the initial solution of that equation. 

(3) The domain B may be interpreted as a pointed mixed transition system 



p=(p,M°^,MC) (2.5) 

where the recursion d = {{d^, d^))a£Act of the equation (|2.4|) for B specifies that all 
elements d' in the set d^ (d^) are exactly the R'^-successors (M'^-successors) of d for 
a in P (respectively). 

Thus, the L and U in (|2.2j) model M"- and M'^-transitions within D, respectively. The 
order-theoretic mix condition (|2.2|) has an equivalent version for mixed transition systems. 

Definition 2.8 ( 27 ). A mixed transition system M = (Y,, R"" , R^) satisfies the mix condi- 
tion (MC) iff (for all (s, a, s') e R" there is some (s, a, s") € R"^ Ci R'^ such that s' ~<s"). 

As shown in Proposition 3 in i22|, p.2|) ensures that T) satisfies the mix condition (MC) 
since the order on B is a refinement within B: for all (e, a, e') G M"^ there is some (e, a, e") € 
M'^nM^ such that {V,e')<{V,e"). 

Example 2.9. Figure|l]demonstrates that mixed transition systems (S, R'^, R'^) that satisfy 
the mix condition (MC) are refinement-equivalent to modal transition systems {T,,R'^ D 
R'^,R^). Therefore, such mixed transition systems are merely modal transition systems in 
disguise j^Tj. 

Remark 2.10. By Proposition 1 in j27j and as seen in the previous example, the mix condi- 
tion (MC) guarantees that the mixed transition system (D,M",M'^) is refinement-equivalent 
to the modal transition system (©jM"^ n M'^,M'^). Therefore all reasoning that is invariant 
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under refinement equivalence, as is the case in this paper, may be done with the latter 
modal transition system and we abuse notation to refer to that modal transition system as 
T> as well. 

The domain model B is universal: There is an embedding (M, i) i-^ (| M, i \i from the 
class of image-finite pointed mixed transition system satisfying the mix-condition (MC) to 
elements of B such that {M,i) and (T>, ^M,i \)) are refinement-equivalent (Theorem 6.1 in 
j27j). The domain model B is fully abstract: For all d, e G B, we have d < e iff {V, d)~<(T>, e) 
(Theorem 5 in j27j). For sake of completeness, we sketch the construction of this embedding 
and needed aspects of the full abstraction proof in the next section. 



We show that the maximal elements of B are precisely the representations of pointed 
labelled transition systems modulo bisimulation; and that this quotient is a Stone space 
and therefore determined by a complete ultra metric. 

3.1. The maximal-points space. We define the required notions from topology. 

Definition 3.1. 

(1) A topological space {X,t) is 

(a) compact iff for al\ U Q t with X Q l^U there is a finite subset Q U with 



(b) HausdorjJ iff for all x ^ x' in X there are 0,0' t with x € O, x' € O' and 



(c) zero- dimensional iff every r-open set is the union of r-clopens; and 

(d) a Stone space iff it is zero-dimensional, compact, and Hausdorff. 

(2) A subset C of {X, r) is r-compact iff the topological space (C, {U nC \ U £ r}) is 
compact. 

(3) A subset A of X is dense in {X, r) iff fl O is non-empty for all non-empty O (z t. 

(4) An ultra-metric on X is a function d: X x X — > [0, 1] such that for all x,y, z £ X 

(a) d{x,y) = iff a; = y; 

(b) d{x,y) = d{y,x); and 

(c) d{x, z) < ma,x{d{x,y), d{y, z)). 

(5) An ultra-metric d: X x X ^ [0, 1] determines a topology on X whose elements are 
all those OCX that are unions of sets of the form Brj{x) = {y G X | d{x,y) < ij} 
for X G X and rational r] > 0. 

(6) A topological space (X, r) is ultra-metrizable iff there is an ultra-metric d : X x X — > 
[0, 1] such that r = r^. 

(7) We denote by max(B) = {m gB| V(iGB:m<(i^m = ci} the set of maximal 
elements of B. The set 



3. Stone space of labelled transition systems 



OnO' 



{}; 



X = max(B) 
has a maximal-points space topology j34| 



(3.1) 



(3.2) 



(8) For (i G B, we write 



M(d) = tdnmax(B) 



(3.3) 
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{N,i)^"'^4> iff {N,iW-"'cP 

(iV,z)^"(a)0 iff ioT some {i, a, i') e R"", {N,i')^'^(l) 
(iV,i)^'^^AV iff ((iV,i)h"0 and (iV,i)^'"V) 

Figure 5: Semantics of Hennessy-Milner logic with two judgments (A^, z)|=™(/> where m G 
{a, c}, -la = c, and -ic = a. 

Since D is a bifinite domain, the Lawson condition jSl] holds for D, namely that the 
topology rx is also induced by the Ap-topology: 

Tx = {VnX\V eXo}. (3.4) 
We remark that not all bifinite domains D enjoy the property that max(L') is compact 
in the topology induced by cjd or Xo- 

3.2. Maximal-points space is zero-dimensional and Hausdorff. We first record that 
Tx is Hausdorff and zero-dimensional. Proposition 13. 21 below holds for any algebraic domain 
satisfying the Lawson condition [SlI. We state and prove that proposition for D for sake of 
completeness. 

Proposition 3.2. The topological space (X, rx) is zero- dimensional and Hausdorff. 
Proof. 

• Every [/ G crp is the union of (TB-opens ]k, k G K(D), as B is algebraic. But each 
Ik is Au-clopen as ao C Ap and ]k is Ao-closed. From the Lawson condition for 
B, (|3.4j) . we infer that M{k) is rx-clopen and so rx is zero-dimensional as every 
O G rx is the union of such sets. 

• To show that rx is Hausdorff, let x 7^ y. Since B is a partial order we may assume 
X ^ y without loss of generality. Since B is algebraic, x ^ y implies k < y and k ^ x 
for some k G K(B). But M(k) is rx-open and contains y whereas x is in X \ M{k) 
which is rx-open since M{k) is also rx-closed. 

□ 

3.3. Semantics of Hennessy-Milner logic. We use tools from temporal logic to develop 
a sufficient criterion for membership in max(B). 

Definition 3.3. 

(1) The set of formulas of Hennessy-Milner logic |24| is generated by the grammar 

(j)::= tt I -^(j) I {a)(j) \ (j) A (p (3.5) 
where a ranges over the finite set of events Act. 

(2) Let {N,i) = {{T,, R"- , R'^),i) be a pointed modal transition system. Larsen's seman- 
tics, denoted by \= in [32] for Hennessy-Milner logic in negation normal form, is 
depicted in Figure El 

(3) We write [a] for -i(a)-i and ip for ^{^(j) A subsequently for all a G Act and 
all (j) and ip of Hennessy-Milner logic. 
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Remark 3.4. For each m S {a, c} we have 

{N,i)^'^[a](j) iff for all (i,a,i') G i?^", iN,i')^"'4> 
(Ar,z)^™(/)VV' iff ((Ar,i)^™(/)or (iV,i)^"'V') • 
Please note that |='"[a]0 universally quantifies over transitions in the dual mode -im. 

Example 3.5. Consider the modal transition system N in Figure ^ 

(1) We have (A^, Talks) 1=^^ (drinks) because of the i?'^-transition (Talks, drinks, Drinks). 
By the semantics of negation, this implies (A^, Talks) |7^'^-'(drinks)tt. We also in- 
fer (A^, Talks) [t^** (drinks) ft as there is no state s with (Talks, drinks, s) G R"". By 
the semantics of disjunction, these two judgments render (A^, Talks) ^"'(drinks) ft V 
-i(drinks)ft. This judgment says that we can't determine that (drinks) ftV-i (drinks) ft 
is asserted in state Talks in A^. As that formula is a tautology over labelled tran- 
sition systems we see that judgments (A^, Talks) |=" (p under-approximate validity 
judgments "all refinements of (A^, Talks) satisfy (p." As we show below, it turns 
out that the ability to capture these validity judgments for certain tautologies over 
labelled transition systems via 1="^ is what characterizes modal transition systems 
that are refinement-equivalent to labelled transition systems. 

(2) We have (A^, Waits) ^"[newPint] [talks] ((drinks) ft V ^(drinks) ft) as there is an R""- 
path (Waits, newPint, Drinks) (Drinks, talks. Talks) for the word newPint talks G 
Act* and (A^, Talks) [7^ (drinks) ft V -'(drinks)ft by item (1). Therefore, the check 
(A^, Waits) [7^ [newPint] [talks] ((drinks) ft V (drinks) ft) is unable to validate a tau- 
tology over labelled transition systems at state Waits in A^. 

3.4. Denseness of image-finite labelled transition systems. We sketch the definition 
of the embedding (] M, i |) G P for an image-finite modal transition system (M, i) such that 
{M,i) and (T>, ^M,i \)) are refinement-equivalent |22||. This construction follows ideas from 
algebraic semantics a la Nivat-Courcelle-Guessarian jj] or a la Goguen-Thatcher- Wagner- 
Wright |2Tj in that we unfold pointed modal transition systems as finite trees for a fixed 
depth, adding a may-stub to all leaves of that tree for which there are still outgoing transi- 
tions in the pointed modal transition system. This unfolding is presented here via a simple 
process algebra. 

Definition 3.6. 

(1) The grammar for the process algebra MPA is 

p ::= I _L I au-p \ a±.p \ p+p (3.6) 
where a ranges over the finite set of events Act and no p in p + p is allowed to be 
_L or 0. 

(2) For each p G MPA let {| p |} G B be as in Figure El 

(3) For all p G MPA, the structural operational semantics in Figure [3 defines a pointed 
modal transition system (| p |,p). 

Example 3.7. Let p G MPA be drinks_L._L -|- orders^. ± + talks^.O. Then ([ p |,p) is 
refinement-equivalent to the image-finite pointed modal transition system in Figure |H1 

We record that the denotational semantics of MPA in B matches the structural operational 
semantics. This proof is straightforward and amounts to showing that the saturations with 
J, and I in D do not break refinement equivalence as they always occur in the right direction. 
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{| o|} = (({},{}) Wac* 



{\±\} = m,maeAct 



i{\c^u.pc,{\att.p\rj = {i{\p\},np\}) 



({| "ft-f \}m {\ aa-P Wa) = ({}, {}), a / /? 



({|a±.p|}:,{| «^.P|}:) = ({},T{|P|}) 



({| a±-P {| !}fl) = ({}, {}), a / 



{| P + 9 |}, 



m 



{\pK^{\qK, l^Act, me{a,c 



7 



Figure 6: A denotational semantics of MPA in D that interprets as deadlock, _L as the 
least element, + as the mix miion of ^22^, and the prefixes as expected using 
saturations with j and j to ensure membership in B. 

Lemma 3.8 ([IHl)- For all p G MPA, the modal transition system (| p is refinement- 
equivalent to the mixed transition system (I^, {| p |}). 

To define the embedding (| M, i \j for an image-finite pointed modal transition system 
(M, i) consider m > 0, unwind M from z as a tree M[m] such that all, and only, paths 
of length < m of M are present. If a leaf of that tree has some -R'^-successor in M, 
create iJ'^-loops on that leaf for all events in Act (a may-stub); otherwise, leave it as is 
(deadlock). By construction, this image-finite pointed modal transition system {M[m],i) 
is the operational meaning (| pm l,Pm) of a term pm € MPA so m < m' and Lemma HTHl 
imply that {| pm |} < {| Pm' |}- Thus {{| pm |} | m > 0} is directed and we can set 



m>0 

and note, shown in j23) for bifinite domains without reference to a process algebra, that 



We may thus represent all k G K(D) in the form {| p |} for some p G MPA subsequently. 

Example 3.9. Figure |H1 illustrates the construction of a finite approximation and depicts 
(M[l], TomDrinks) for the pointed modal transition system (M, TomDrinks) of Figure |2j 

We define the characteristic formulas for terms p of the process algebra MPA, which 
will also be the characteristic formulas of the compact elements {| p |} of B. 

Definition 3.10. For each p G MPA, we define the formula (pp of Hennessy-Milner logic in 
Figure IHl 

These formulas characterize their terms, for one can interchange refinement checks 
(V, {| p \})'<{'D, d) with model checks {V, d)^°-<l)p for ah d G B. 




(3.7) 



K(B) = {{| p 1} I p G MPA} . 



(3.8) 
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MayStub 



MustPrcfix MayPrefix 



P Q — 'v Q 

LChoice RChoice 



P + Q — P' P + Q — q' 



Figure 7: Structural operational semantics of MPA in ID: p — p' and p — >^ p' denote 
a may-transition (respectively) must-transition from p to p' , with label a G Act. 
There are no transitions out of 0; u G {_L, tt}; and the occurrence of 7 ranges over 
all events in Act. 



V7 6 Act 



V7 G Act 



TomDrinks Waits 
orders^ 

talks , 



TomTalks 



drinks. 



TomDrinks 



Figure 8: The pointed modal transition system (M[l], TomDrinks), an approximation of 
the pointed modal transition system (M, TomDrinks) in Figure EJ The states 
Waits and the second TomDrinks turn into may-stubs whereas the approximation 
recognizes TomTalks deadlocked state. 

Lemma 3.11. For all d we have 

^p^<d iff (P,d)N>p- (3.9) 
Proof. We prove this by structural induction on p S MPA. 

• We have {| |} < d iff (there are no M'^-transitions out of d) iff (P, d)\=°'ipo. 

• We have fl _L |} < d for all d G B, but also {V, d)^''ip± for all deB. 

• Using induction on p, we have {'D,d)\=°'ipau.p iff (there is a M'^-transition (d,a,d') 
in D with {| p |} < d'; all M'^-transitions {d,a,d") in D satisfy {| p |} < d"; and 
there are no M'^-transitions out of d in B for other events). This exactly captures 
{| OLu-P 1} < d. 

• By induction on p, we have {T),d)\=°'ipa^^p iff (there are no M'^-transitions out of d 
for events other than a, and all M'^-transitions (d, a, d') satisfy {| p |} < d'). But this 
captures {| a^.p |} < d. 

• Let {V,d)\=°'il^p+q. Then (^^, d)t=" Aae/lci Ap+g >gr' ('^)''Ar' and induction express 

that all M^-transitions out oi p + q to some r' can be answered by correspond- 
ing (d,a,d') G with {| r |}' < d'; whereas (^, d)^"^ Aqg^c* W (ViV'r' I 3^; G 
{±, tt} : p+q — >° r'}) states that all (d, q, d') G M'^ can be answered in {^p + q |},p+ 
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(j)± = it 

(t>p+q = f\{{a)(t>r' I a G Aci, p + q — >2 '^'l 

Figure 9: The characteristic formulas (f)p for terms p of the process algebra MPA. 

q) by corresponding M'^-transitions to some r' such that r' < d! by induction. So 
d<{|p + g|}. □ 

This characterization is the key to proving that D is fully abstract and that refinement is 
characterized by the semantics for Hennessy-Milner logic. 

Corollary 3.12 (ETJ). 

(1) The order on D is the greatest refinement relation within T>. 

(2) For all pointed modal transition systems {M,i) and {N,j) the following are equiva- 
lent: 

(a) iM,i)^{N,j) 

(b) for all (j) of Hennessy-Milner logic, {M,i)\='^(j) implies (N, j)\='^(j) 

(c) for all (j) of Hennessy-Milner logic, {N,j)\=^(j) implies {M,i)\='^(j). 

Proof. 

(1) That the order of D is a refinement follows directly from the definition of D. For 
the converse, we show "d ^ e implies that {"D^e) does not refine (Djd):" First note 
that K(D) order-generates B so d ^ e implies k < d and k ^ e for some k G K(D). 
Then there is p € MPA with = {| p |} so that, by Lemma 13.111 for all / € B: k < f 
iff (P, f)\="'(j)p- Thus, (P, d)\=°'(j)p and {V, e) ^"^^p imply that e does not refine d in 
V. 

(2) Since 1="^ and \='^ are dual with respect to negation, (b) and (c) are equivalent. The 
proof that (a) implies (b) is a straightforward structural induction on 4> [21]' That 
(b) implies (a) follows from item (1), Lemma 13.111 and the fact that B is algebraic. 

□ 

We demonstrate that embeddings of pointed image-finite labelled transition systems 
are dense in (X,rx), which we subsequently show to be the quotient space of all pointed 
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labelled transition systems with respect to bisimulation. The denseness argument rests on 
the fact that embeddings of implementations are maximal elements of B. 

Lemma 3.13. Let c? E B 6e such that, for all (j) of Hennessy-Milner logic, {"D, d)\='^<j) implies 
{V,d)\="-(t). T/ien d G max(B). 

Proof. Consider such a d and let d < e in B. Since < is a partial order and since B is 
algebraic it suffices to show that [e D K(B) C jrf. So let {| p |} G K(B) with {| p |} < e. For 
(j)p of H3.9|) . {| p 1} < e implies {V , e)\='^ (pp which implies {V , e)\='^ (pp by Corollary 13. 121 as B 
is fully abstract. But d < e means {T>,d)~<{'D,e) as B is fully abstract, and so (T>,d)\=^(j)p 
by Corollary 13.121 as {'D,e)\='^(j)p. By assumption on d, this renders (P, d)|="</>p and so 
{\p\}<dhy (jH. □ 

Proposition 3.14. The set of all embeddings of pointed image-finite labelled transition 
systems is dense in (X, rx). 

Proof. As any pointed image-finite labelled transition system (L, /) is refinement-equivalent 
to {V, ^L,l\)) 127;, the embedding ^L,l\) is in max(B) = X since it satisfies the assumptions 
of Lemma 13.131 

Let O G rx be non-empty, so O = U D max(B) for some U an and there is some 
k G K(B) with M{k) C U H max(B) since O is non-empty and B is algebraic. Let q G MPA 
be obtained by replacing all _L in p with and, for all 7 G Act, all prefixes 7^. with ju- 
Then (| q refines (| p l,p). Since (| g is a pointed labelled transition system and 
(I r |,r) is refinement-equiyalent to (P, {| r |}) for all r G MPA by Lemma 13.81 we conclude 
{| g 1} G M(A;) C O by Lemma f3.13l and {| q |} is the embedding of a pointed image-finite 
labelled transition system. □ 

3.5. Compactness of maximal-points space. We show that (X, rx) is compact by prov- 
ing, indirectly, that max(B) is An-closed. Using results from ^ one could show that max(B) 
is Ajj-closed by finding a subset T of K(B) that is a finitely branching tree and co- final in 
K(B). Given a candidate of such a T, the property that is difficult to ascertain is that 
any two elements of T that have an upper bound in K(D) are comparable. For example, 
consider the compact elements {| aa.-L + /3ft. |} and {| a^.O + /J^.X |}, both of which have 
the compact element {| a^.O -|- |} as an upper bound yet neither of them refines the 
other. 

Faced with these difficulties, we therefore take a different route and realize max(B) as 
the set of those elements d of B that pass a set of judgments {'D,d)\='^ipp''^ where V'jf'" are 
formulas of Hennessy-Milner logic. 

Definition 3.15. 

(1) Let w = 8182 ■ ■ - Sn G Act*, a G Act, and p G MPA. Then we define the Hennessy- 
Milner logic formula 

V;-'" = [6^][52] . . . [5n]m<Pp V ^{a)<Pp) (3.10) 
with <j)p as in Figure El 

(2) Let ^ be the set of all Hennessy-Milner logic formulas ipp'" where w G Act*, a G 
Act, and p G MPA. 

(3) For (j) of Hennessy-Milner logic and all m G {a, c} we define 

l</>l™ = {dGB| (P,(i)h». (3.11) 
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(4) LetC$ = n<^g$l0l^ 

For each formula (p in <I>, the test (T)^d)\=°'(j) checks whether there is a certain M*^- 
reachable state from d with a certain outgoing may-transition that cannot be matched with 
a corresponding outgoing must-transition. Accordingly, (7$ consists of those elements whose 
reachable states always find such a match. Intuitively, those should be the elements that 
represent labelled transition systems. 

Example 3.16. The formulas in items and ((2)) of Example 13.51 are in $ as ft is <pA_„, 
{I _L 1} = _Ld G K(D), and e E Act*. 

Rather than proving directly that max(D) is Aij-closed, we first establish that is 
Ao-closed and then prove max(D) = C$. Whence maximal elements in D are exactly those 
elements whose reachable may-transitions have matching must-transitions. As is the 
intersection of sets of the form | i;^ | , we can show that the former is Ajj-closed by proving 
that all latter sets are Au-closed. We do this by structural induction on (f) which requires a 
stronger induction hypothesis. 

Lemma 3.17. For each (p of Hennessy-Milner logic, the sets j 4> 1°' and j (p are Xo-clopen. 
In particular, C$ is Xj^- closed. 

Proof. We proceed with the first claim by structural induction on (j). This is evident for the 
clauses ft, negation, and conjunction since | ft |™ = B is Au-clopen and clopens are closed 
under set complement (| -^(p = D \ | (/> ['^ and | -i0 ^ \ ^ \°') ^"^^ finite intersections. 

We still require proofs for (a)0, where for each m € {a, c} we have 

l(a)0l™ = {dGD|Cnl0l™/{}}. (3.12) 

• Let m = a. By Theorem 4.2 in | ■0 I** is cru-open for all ip of Hennessy-Milner 
logic, so I {a)(j) 1" € ctd ^ Ad and it suffices to show that | {a)(j) 1" is Ao-closed, i.e. 
o"D-compact as an upper set. By induction, | (/> f is An-clopen; it is also crioj-open 
so 1 I?!* 1" = for a finite subset C K(D) as D is algebraic. By the definition 
of 1 {a)4> l^ we have e G \ {a)cP f-^ iff n W,t> + {} iff n / {} (as is a 
lower set). For each y G F^ define c{y) = ic{y)j)'y(=Act £ U by c(y)/3 = ({j,©) for 
all a; and c(y)„ = (Jj/,©). Then C = {c{y) \ y e F^} is finite and C C K(D). 
Since y G c(y)^ fl F^ for all y € C, we get ]C C | {a)4> j"' as the latter set is upper. 
Note that for each y ^ F^we have c(y) < e in B iff y € e°. Therefore, e € | {Q)(f) \"' 
implies e G |C. Thus, | 1°" equals jC for the finite subset C of K(B). 

• Let m = c. From Theorem 4.2 in |^ we already know that | {a)(j) Y is cu-closed 
and therefore Au-closed. Thus, it suffices to show that | (a)</» Y is Au-open. By 
induction, | (/> f*^ is Ap-open and therefore D \ | (/> = | -■(/> is Ajj-closed (and ajj,- 
open), i.e. UB-compact upper. Since ID is algebraic, | -^(j) \"' = W^<j> for a finite subset 
F^^ of K(D). Thus, 1 </> 1" = ID)\T-F^^. Inspecting the definition of \ {a)(t) l^ we infer 
e G I (a)0 l'^ iff there is some x € such that x TF^^. Now \et d ^ \ {a)(t> ^ . 
We claim that there are compact elements k and / with (i € jA; \ |/ C | {a)(j) 
which concludes the proof since ]k \ jZ is Aia-open. Choose any /c G jd n K(B). As 
for / = {l'f)'f<^Act-, set Ip = ({},B) for all (3 ^ a; and la = {{},W^<t>)'i i^i particular, 
/ G K(B). Note that / ^ e in B iff ^ W^<t> iff (for some x G e^^, x W^<l^- 
Therefore, d e ]k\]l <Z\ {a)<t) Y . 

So C$ is Ap-closed as the intersection of Ap-closed sets. □ 



LABELLED TRANSITION SYSTEMS AS A STONE SPACE 



17 



In open sets are thought of as observable properties, so the denotations of Hennessy- 
Milner logic formulas in ID (and in X) are closed under negation as observations. If we 
extend these denotations to the modal mu-calculus [HJ, we expect observable properties to 
correspond to sets in the Borel algebra generated by an. 

Using the denseness of embeddings of image-finite labelled transition systems in X, we 
can prove the inclusion max(X) C C$. 

Lemma 3.18. The set max(D) is contained in C$. 

Proof. Let A be the set of all embeddings ^L,l\) of pointed image-finite labelled transition 
systems {L,l). Then A C C$ follows as 

• [V, (\L,l\)) is refinement-equivalent to (L, /), 

• a{(j)) V ^a{4>) is valid over labelled transition systems for all (p of Hennessy-Milner 
logic, 

• [Si](j) is valid over labelled transition systems whenever (p is, and 

• 1='* is the standard semantics of Hennessy-Milner logic over labelled transition sys- 
tems. 

By Proposition i:-{.14| A is a dense subset of (X, rx) and so its superset C$ n max(D) 
is also dense in (X,rx) and is rx-closed by the Lawson condition for D since is Ap- 
closed by Lemma 13.171 But the only dense rx-closed subset of (X, rx) is X itself and so 
C$ n max(D) = max(D) follows which implies max(B) C C$. □ 

For a proof of the reverse inclusion C$ C max(X) we need to clarify the structure of 
elements in C$. 

Lemma 3.19. Let d G C$. Then: 

(1) All d' G B that are reachable from d in the labelled transition system (D,M'^) are in 

as well. 

(2) For all a £ Act we have d% = ]{d'^ n d%). 

(3) For all (p of Hennessy-Milner logic, {T> , d)\='^ (p implies {T>,d)\='^(f). 
Proof. 

(1) Let d' be reachable from d in (B,M'^) and let w' £ Act* be the word obtained by 
travelling from d to d' on such a path. Given ipp''^ £ the concatenation w'w 

is in Act* and so ipp'^'°^ G <I>. Thus the path for w' above and d G C$ ensure 
(P,d')N''V'p'" and so d' G C$. 

(2) Let aeAct. Since T« n d^) C = d^, it suffices to show d^ C ]{d^ n d^). Proof 
by contradiction: Let x £ d^\ T(< Dd^). Then x £ and d^ndg C ]{d^ n d^) 
imply X ^ d% and so x G D \ d^. As D is algebraic and B \ G o"©, there is some 
{| p 1} G K(B) with {| p 1} G B \ d^ and {| p |} < x and so T{| P |} n d;j = {} as d^ 
is a lower set. But d G implies (P, d)^'^(Q;)(/>p V -^{a)(pp, as (a)(/>p V -^{a)(j)p is 
ipp"', and so T{| P |} H d^ = {} implies T{| P |} n d^ = {} by the definition of | (a)</> |™ 
in ()3.12|) , contradicting x G t{| p |} Pi d^ . 

(3) We use structural induction on (p. The cases for tt, negation, and conjunction are 
straightforward. Let {V, d)\=^ {a)4), so {V, d')\='^(p for some d' G d^. By item (2), 
there is some d" £ d^nd^ with d" < d' . But then {V,d')^''<p and d" < d' imply 
{V,d")^''(p by Corollary 13321 Since d" £ d^ is reachable from d in (B,R'=) it is in 
C$ by item (1). Thus, we can apply induction on d" and get (D, d")\=°'(p. Since 
d" £ d^, this renders {V, d)^"(a)0. □ 
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We have now all the machinery at our disposal for stating and proving our main results 
in the next two theorems. 

Theorem 3.20. The set max(D) equals (7$. In particular, max(D) is Xo-closed and (X, rx) 
is a Stone space in which the set of embeddings of pointed image-finite labelled transition 
systems is dense. 

Proof. From item (3) of Lemma 13. 191 and Lemma 13.131 we infer C$ C max(B). Lemma l3.18l 
then renders max(D) = C$. By Lemma 13.171 this means that max(B) is Ap-closed. By 
Propositions 13.21 and IXTH it suffices to show that (X, rx) is compact. Let X = |JZ^ for 
Q Tx- By the definition of rx, each U £U is of the form Vu fl max(]D)) for some Vu £ crp. 
Since B is a bifinite domain, (BjAp) is compact Pl. Since max(B) is Ap-closed it is Ab- 
compact as a Ajj-closed subset of the compact space (BjAp). From X = [jU and ao C Au 
we infer that max(D) C |J{V;7 | U G U} C Ad- The Au-compactness of max(D) therefore 
implies the existence of a finite set JF C Z// with max(B) C |J{V;7 | U G J-}. But then 
X C U follows. □ 

3.6. Maximal-points space as quotient space of labelled transition systems. The- 
oreminSniis of interest in its own right since max(D) is not Az5-closed for bifinite domains D 
in general. But we also have to demonstrate that X is the desired quotient space of labelled 
transition systems modulo bisimulation. 

Definition 3.21. Given a topological space {X,t) let C[X, r] be the poset of all r-compact 
subsets of X, ordered by reverse inclusion: C Q C iS C Q C. 

Theorem 3.22. 

(1) The embedding {M,i) ^M,i\) for pointed image-finite modal transition systems 
given in extends to pointed modal transition systems such that labelled transition 
systems are embedded into max(B). 

(2) Conversely, for any d € max(D) the pointed mixed transition system (D, d) is 
refinement- equivalent to a labelled transition system. (It doesn't "type check" to 
ask whether {T>, d) is bisimilar to a labelled transition system; but [ and ] are merely 
saturation artifacts of the model.) 

(3) We have the isomorphism 

X= J] C[X,7ij] (3.13) 

a&Act 

of sets where x = {xa)a<^Act models the a-successors of x as the Tx-compact set Xa, 
for each a G Act. 

Proof. 

(1) Whenever a state s has infinitely many states {si | z G /} as a-successors for 
R^, choose a finite subset F of /, retain transitions {s,a,Si) and their must/may 
status for all i F, discard all (s,a,Sj) with i ^ F, and create a may-stub sp 
({| 1} = J-d) and a may-transition (s,a,SF). Doing this for all events while, at 
the same time, unfolding (M, i) as a tree ensures that all approximations are image- 
finite with limit (\ M, i \) such that {V, (| M, i\)) is refinement-equivalent to (M, i). In 
particular, {| M, i ^ G max(B) by Lemma [3. 131 whenever (M, i) is a labelled transition 
system. 
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(2) Let d £ max(D) and a € Act. The set fl d^ is in C$, which equals max(D), and 
d^ = ]{d^ n d^) by Lemma Em and Theorem lOOl Combining this with ((T^ . we 
inferd= (aKnd^),dSnd^)) aeAct- But since (7$ is closed under states reachable 
in (BjM'^), we may assume this representation for all elements e reachable from d in 
(DjIR"^). Therefore, {T>,d) is refinement-equivalent to the modal transition system 
with no may-transitions that replaces i(e° n e^) with fl for all a € Act and all 
e reachable from d in (B,M'^). 

(3) The isomorphism follows from the equation for D and Lemmas 34.5 and 25 of 0]; the 
latter is stated for 5FP^-domains D, which are bifinite, but its proof only requires 
that max(L)) is Ao-closed. □ 

An immediate consequence of these two main theorems is that sets of implementations 
of modal transition systems are compact in the quotient space modulo bisimulation. 

Corollary 3.23. For each pointed modal transition system {M,s), its set of implementa- 
tions is compact in the quotient space of labelled transition systems modulo bisimulation. 

Proof. The set of implementations of (M, s) in X is M((| M, s ^) = |(| M, s\) f] max(D) which 
is An-closed as the intersection of two Ap-closed sets and so it is rx-compact. □ 

4. Applications of compactness 

We now discuss some of the consequences of the compactness of tx: a compactness 
theorem for Hennessy-Milner logic on compact sets of implementations, an abstract in- 
terpretation of compact sets of implementations as Scott-closed sets of modal transition 
systems, and a robust consistency measure for modal transition systems. 

4.1. A compactness theorem for sets of implementations. Compactness of (X, rx), 
stated in terms of Hennessy-Milner logic, is familiar from first-order logic but here se- 
cured without appeal to a complete proof system. Such semantic techniques for proving 
compactness are not new, we mention model-theoretic techniques based on ultra-filters. 
A compactness theorem for Hennessy-Milner logic alone already follows from its standard 
encoding in first-order logic. However, we prove a compactness result that goes beyond 
Hennessy-Milner logic as it applies to compact sets of labelled transition systems, in par- 
ticular to the set of common implementations of finitely-many pointed modal transition 
systems. For a single such system, (V,!.-^), we then regain the familiar compactness the- 
orem for Hennessy-Milner logic. Our result is stronger than this familiar theorem as the 
sets of implementations of pointed modal transition systems are not expressible through 
Hennessy-Milner logic. In Theorem I4.8f 2) below we see that these sets are expressible in 
Hennessy-Milner logic extended with greatest fixed points for finite-state modal transition 
systems. 

Corollary 4.1. 

(1) Let r be a set of formulas of Hennessy-Milner logic and C a rx-compact set such 
that for all finite subsets A of T there is some c^ € C that satisfies /\A. Then 
there is some cr € C that satisfies all formulas ofT. 

(2) In particular, let T be a set of formulas of Hennessy-Milner logic and {(Mj,Sj) | 
1 < i < k} a finite set of pointed modal transition systems such that for all finite 
subsets A o/ r there is a pointed labelled transition system that refines all {Mi,Si) 
and satisfies /\ A. Then there is a pointed labelled transition system that refines all 
{Mi, Si) and satisfies all formulas ofT. 
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Proof. By Corollary 13.231 it suffices to prove item (1). By duality of consistency (i.e. satisfi- 
ability) and validity, it suffices to prove the dual statement of item (1): assume that every 
c G C satisfies as least one </> G F and show that there is a finite set ACT such that V A 
is valid over the set C. By this assumption, we have 



where U = {j (j) 1'^ nmax(D) | (/> G F} is a subset of rx as all | are in ao by Theorem 4.2 
in [2ZI- As C is rx-compact, there is a finite !F (^U with C C |J .7^, i.e. C C |Jj,g^ 1 1" = 



Example 4.2. Figure [TUl depicts schematically the set of common implementations of two 
pointed modal transition systems {T>,d) and {T>,e), the intersection of the implementations 
of d and e. This is a compact subset of X and so we get a compactness theorem for 
Hennessy-Milner logic on that set. 

4.2. Abstract interpretation of rx-compact sets of implementations. Cousot &: 
Cousot's abstract interpretation framework jSj approximates concrete objects and their 
transformations by abstract objects and transformations such that reasoning on abstract 
objects is sound for their concretizations. In a simple setting, one has given a set C of 
concrete objects (e.g. computer programs) and a partial order {A, <) of abstract objects, 
a monotone abstraction function a: (P(C),C) — > (^, <), and a monotone concretization 
function 7: {A,<) (P(C),C). The value a = a{X) should represent the best approxi- 
mation of X C C within the partial order (A, <) and 7(a) should represent the set of those 
concrete objects that are abstracted by a. One can encode these intuitions by making a 
and 7 a Galois connection [H|, a notion we define below. 

Example 4.3. Let C be the set of natural numbers and A = {T,0,E} where T is the 
top element and O and E are incomparable. Define a{X) to be O if all elements of X 
are odd; E if all elements of X are even; and T otherwise. Then a({2, 46, 128}) = O and 



a({2, 4, 7}) = T etc. Define -/{E) = {0, 2,4,...}, 7(0) = {1, 3, 5, . . . }, and 7(T) = C. 



Then a({2, 46, 128}) = O says that O is the least element that soundly represents the set 
{2, 46, 128}. The equation 7(a({2, 46, 128})) = {0, 2, 4, ... } shows that the abstract value 
of {2, 46, 128} has a larger set of concrete objects. 

We want to apply this framework in our setting. From the compactness of rx Corol- 
lary |22S1 infers that the set M{(\M,s\)) is rx-compact for all pointed modal transition sys- 
tems (M, s). Said rx-compact set comprises all the implementations of (M, i). Conversely, a 
rx-compact set C of labelled transition system can be approximated by any pointed modal 
transition system (M, s) satisfying C C M{^M, s\i). Ideally, one wants an optimal such 
(M, s), one for which the difference M{^M, s [>) \ C is minimal. Of course, this optimality 
is ensured for any C of the form M ( (| M, s\)). The next example shows that there is no 
optimal (M, s) in general. 

Example 4.4. Consider two pointed modal transition trees (Mi, si) and (M2, S2) that have 
a common refinement but do not refine each other. In general, there will be more than one 
minimal upper bound of the set Mi, si |), d M2, S2 ^} in B so there cannot be a d G D such 
that M{d) equals the rx-compact set M(^ Mi, si ^) n M((| M2, S2 ^). 

The fact that modal transition systems cannot be such optimal abstractions of rx- 
compact sets seems to be related to the incompleteness of modal transition systems for 




(4.1) 



1 V A for a finite set ACT. Thus all c G C satisfy V A. 



□ 
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abstraction-based model checking JHI since P is not bounded complete. But there is a 
Galois connection between rx-compact subsets of X and crp-closed subsets of D. For a 
rx-compact set C its set of concretizations is the Scott-closed set of all (M, s) for which 
C C M((|M, s[)). Conversely, a Scott-closed subset L of pointed modal transition systems 
is abstracted as the set of those pointed labelled transition systems that implement all 
elements of L. 

Definition 4.5. 

(1) Let £[D] = {L \ L cru-closed} be the set of cJe-closed subsets of B, ordered by set 
inclusion: L is less than or equal to L' iff L C L' . 

(2) Let Li and L2 be complete lattices. A Galois connection 17^ is a pair of monotone 
maps a: Li ^ L2 and 7: L2 ^ Li such that for all x G Li we have 7(a(x)) > x 
and for all y E L2 we have a(7(y)) < y- In that case, a is the upper adjoint of 7. 

Theorem 4.6. The maps 7: C[X,rx] Cp\ and a: Cp\ C[X,rx] defined by 

7(C) = {d G B I C7 C M{d)} (4.2) 

a(L) = f]M{d) 

deL 

form a Galois connection, where a is the upper adjoint ofj. 
Proof. 

• The map 7 is well defined. First d < e implies M{e) C M{d) and so 7(C) is a lower 
set. Second let {di)i^i be directed in 7(C). Then C C \^^^^M{di) and the latter 
equals M{\/-^jdi), so 7(C) is crjo-closed. 

• The map a is well defined. For if L is empty, then a{L) = X is rx-compact; and 
if L is non-empty, a{L) is the intersection of Ajo-closed elements and so Au-closed 
whence rx-compact. 

• The map 7 is monotone. Let C Q C, i.e. C C C. Then d E 7(C) means C C M(d) 
and so C C M{d) follows. Therefore d G 7(6") and so 7(C) C 7(6"). 

• The map a is monotone. Let L C L'. Then a{L') = HdeL' ^(d) ^ CldeL ^{d) = 
a(L) and so a{L) C a{L'). 

• To see 7 o a > id^p] let L G £[B]. Then 7(a(L)) = {e G B [ a{L) C M(e)} = {e G 
B I fldeL (d) C M(e)} clearly contains L. 

• To see a 07 < idc[x,7x] let C G C[X,rx]. Then a{j{C)) = a{{d G B | C C M{d)}) = 
C\{M{d) \ C C M{d)} obviously contains C. □ 

Theorem 14.61 remains to be valid if we reverse the orders on the domains C[X, rx] and 
C\p] and swap the names a and /? throughout the theorem and its proof. In that case, a 
rx-compact set C is abstracted by a set L of pointed modal transition systems and any such 
L has a set of pointed labelled transition systems as concretizations. This view is perhaps 
more natural. 

4.3. Consistency measure for modal transition systems. We explicitly state the met- 
rics do for pointed modal transition systems and dx for pointed labelled transition systems. 
The latter is then used to define a consistency measure on modal transition systems as an 
alternative to the metric do- Fix an enumeration p(),pi, . . . of MPA and set 
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d„{d, e) = m/{2-" \yi<n:{\pi\}<diS{\ p, \] < e} 
dx{x, y) = inf{2~"' {Vi < n: {\ pi \} < x iff {[ p^ \} < y} . 

Then the topology determined by do and dx is Ab and rx, respectively. For practical 
purposes we wish to enumerate p G MPA in increasing modal depth of (pp in ()3.9|) . corre- 
sponding to the iterative unfolding of the functional for bisimulation [HS]- In that case, dx 
is essentially the metric in |12j . These metrics are standard and well understood but result 
in consistency measures if lifted to compact sets of implementations. 

We define the consistency measure c = X{d, e) • [ci(d, e), C2{d, e)] : B x D ^ I by 

ci{d,e) = inf{dx{x,y) \ x G M{d), y G M(e)} 

C2{d,e) = sup{dxix,y) \ X G M{d), y e M{e)} 

and use this as an alternative to the metric do for comparing the pointed modal transition 
systems {T>,d) and (P, e). Note that ci and C2 are optimistic and pessimistic measures 
(respectively) from the point of view of an implementor. 

Example 4.7. Figure ^1 shows a scenario where two pointed modal transition systems 
(P, d) and {T),e) have a common refinement, and so ci{d,e) = 0. 

Since M{f) is rx-compact for all / G D by Corollarv l,3.2.S| ci{d,e) and C2{d,e) are the 
metric analogue of symmetric W and 33 lifts of relations from elements to subsets, here of dx 
to rx-compact subsets, respectively. The standard metric c{d, e) between compact subsets 
M{d) and M(e), the Hausdorff distance, is the symmetric 3V-lift of dx to rx-compact subsets 
and so 

ci{d,e) <c{d,e) <C2{d,e). (4.3) 
Such consistency measures are of particular interest if d and e represent different view- 
points [HH[ Oni Il2j of the same system such that the degree of consistency between these 
descriptions needs to be explored. 
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We prove that ci is a robust measure in that its kernel consists of those pairs of pointed 
modal transition systems that have a common refinement. 

Theorem 4.8. 

(1) For all d, e G B, we have ci{d, e) = iff {T>, d) and (V, e) have a common refinement. 

(2) Deciding whether two finite-state modal transition systems have a common refine- 
ment is reducible to checking the satisfiability of a modal mu- calculus formula with 
greatest fixed points only. 

Proof. 

(1) We use Theorems I3.2UI and 13.22] repeatedly. If {T^^d) and (T>,e) have a common 
refinement, there is some m £ M{d) Pi M(e) and so ci(d, e) = as dxim,m) = 0. 
Conversely, let ci(d, e) = 0. Then for each n > there are G M{d) and 

G M{e) with dx{Tn'^,mf^) < 1/n. Since (X, rx) is compact, there is a convergent 
subsequence )j>o of (m^)„>o with limit m'^ and so m'^ G M{d) as the latter is 
Tx-closed. Since dx (m^^, , m^^, ) < l/nj for each j > 0, this implies inf {dxi'm'^ , m^^) \ 
j > 0} = and so m'^ is in all rx-closed sets that contain {m'^. \ j > 0}. Therefore, 

is in M{e) and so {T),m'^) is a common refinement of {T>,d) and {T>,e). 

(2) If (M, i) and {N, j) are finite-state, we show that there are formulas 

■^(N,j) of the modal mu-calculus with greatest fixed points only such that the modal 
mu-calculus formula AX(^ j) is satisfiable over labelled transition systems iff 

(M, i) and {N,j) have a common refinement. Larsen & Thomsen implicitly define 
these formulas in the system of recursive equations (3) of (32j where, for each state 
s in M = 

XiM,s) = { A («)^{M,.'))A( /\ [a]( V X(jv/y))) (4.4) 

(s,a,s')ei?" a€Act {s,a,s')eR'= 

as a greatest fixed point. If s has finitely many reachable states in M, then X(7Vf,s) is 
expressible in the modal mu-calculus, using a "calling context" on the set of states t 
that are iJ'^-reachable from s and static scoping of the greatest fixed-point operators 
vZt.cf). Now for all pointed labelled transition systems {L,l) we have (L, Z)j="X(7y,/ 
iff (M, s)~<{L, I) where we can use the proof of (3) in |S2] which works in our setting 
as conjunctions and disjunctions need not be finite. □ 

Example 4.9. Let M be the modal transition system from Figure ^ We write X(M,Drinks) 
as a formula of the modal mu-calculus with greatest fixed points only. Let 

X{M,l)r) = z^^Dr4drinks]ZDr A [talks]X°'^T^) A [orders]X°'^.^3^) (4.5) 
^(M,Ta) = z^^Ta. [drinks] Zcr A [ordersjXg^;^^) 

^(M,Wa) = z^^Wa.(newPint)ZDr A (newPint)X(°'^Ta) A [newPint](ZDr V Xg^^J^^)) 
^(M^Ta) = -^Ta- [drinks] Zor A [orders] Zwa 

^(A/!wa) = z^^Wa-(newPint)ZDr A (newPint)ZTa A [newPint](ZDr V Zxa) 
where the superscripts in X^^/^^) record the "calling context" of the recursions. 
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So ci{d,e) measures the degree of inconsistency of {T>,d) and {T>,e), a lower bound on the 
difference between their implementations, C2(d, e) is an upper bound on such a difference, 
and none of them is a metric: From item Q) of Definition 13.11 ci satisfies only (b) and 
C2 satisfies only (b) and (c). The reducibility of common refinement checks to satisfiability 
checks in the modal mu-calculus yields EXPTIME as a weak upper bound on its complexity. 
Since the formulas are defined in terms of greatest fixed points only, one can indeed show 
a stronger result: the decision problem of common refinements is in PTIME '25'. 

4.4. Scope of these results. Our results also apply to 3-valued model checking frame- 
works in which system observables are state propositions or a combination of state propo- 
sitions and events. This is so since Godefroid & Jagadeesan's translation between modal 
transition systems (events only), partial Kripke structures jS] (state propositions only), and 
Kripke modal transition systems fIE\ (events and state propositions) and their translations 
of the respective temporal logic formulas is shown to preserve and reflect refinement and 
the meaning of model checks 20 . 




Bakker &: Zucker use domain equations and metric completions for a metric and deno- 
tational treatment of concurrency in |12j . 

Lawson proposes the notion of a maximal-point space to represent classical topological 
spaces as maximal points of a domain in the topology induced by the domain's Lawson- 
and Scott-topology [3l| . 

Abramsky ^ provides a fully abstract domain of synchronization trees for partial bisim- 
ulation between labelled transition systems that have a divergence predicate. The domain 
equation of loc. cit. uses a sum construction on the convex powerdomain. Maximal points 
are not part of that paper's agenda and are therefore not discussed therein. Labelled transi- 
tion systems with a divergence predicate and partial bisimulation are recognized as certain 
modal transition systems and their refinement in [26j . 

Mislove et al. present a fully abstract domain model, which combines the probabilistic 
power domain with a convex variant of the Plotkin powerdomain, for finite-state processes 
with non-deterministic and probabilistic choice j36j . 

Alessi et al. ^ introduce a category of -domains with a compositional maximal- 

points space functor to Stone spaces. They show that all bifinite domains D for which 
max(L>) is a Stone space are Scott-continuous retracts of 5FP*^-domains. In particular, D 
is such a retract by Theorem l3.2ni We suspect that D is not an S'FP^-domain since 
is not an S'FP^-domain for the S'FP^^-domain Di = {± < ff, tt} 3 , although M[Di] is 
the second iteration of the domain equation ()2.4() for D when Act = {a}. 

The paper [27j presents the domain D and its modal transition system T>, both denoted 
as T> in loc. cit., and proves full abstraction and a characterization of D's compact elements 
in terms of formulas of Hennessy-Milner logic. 

In PHj it is shown that the co-inductive refinement of modal transition systems has an 
extensional description: a pointed modal transition system (M, i) refines a pointed modal 
transition system {N,j) if, and only if, the set of implementations of {M,i) is a subset of 
the implementations of {N,j). 

Dams &: Namjoshi ^JJI show that finite-state modal transition systems are incomplete 
as abstractions of infinite-state modal transition systems for modal mu-calculus checking. 
They propose focused transition systems as a generalization of modal transition systems. 




5. Related work 
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show completeness for this class of models, and define a game semantics for refinement 
of focused transition systems and a game semantics for model checks of alternating tree 
automata on focused transition systems. It is straightforward to write down a domain 
equation for focused transition systems but a programme of maximal-points spaces won't 
directly render pointed Kripke structures since, as noted in ^Uj, focused transition systems 
can have maximal refinements that have inconsistent constraints on propositions at states. 

In [25] consistency, satisfiability, and validity problems are studied for collectively model 
checking a set of views endowed with labelled transitions, hybrid constraints on states, and 
atomic propositions. A PTIME algorithm for deciding whether a set of views has a common 
refinement (consistency) is given. It is proved that deciding whether a common refinement 
satisfies a formula of the hybrid mu-calculus [301 (satisfiability), and its dual (validity), 
are EXPTIME-complete. Two generically generated "summary" views are defined that 
constitute informative and consistent common refinements and abstractions of a set of 
views (respectively). 

Di Pierro et al. jl5j develop a quantitative notion of process equivalence as the basis 
for an approximative version of non-interference and precise quantifications of information 
leakage. They present two semantics-based analyzes for approximative non-interference 
where one soundly abstracts the other. 

Desharnais et al. [13] show that each continuous-state labelled Markov process has a 
sequence of finite acyclic labelled Markov processes as abstractions which is precise for a 
probabilistic modal logic; an equivalence between the category of Markov processes and 
simulation morphisms and a recursively defined domain, viewed as a category, is given. 

Desharnais et al. 14^ define a pseudo metric between labelled concurrent Markov chains 
where zero distance means weak bisimilarity. The metric is characterized in a real-valued 
modal logic and shown to allow for compositional quantitative reasoning. 

6. Conclusions 

We presented the fully abstract and universal domain model D for pointed modal transi- 
tion systems and refinement of ^]. Using techniques from concurrency theory and topology, 
we demonstrated that B is the right fully abstract and universal model for labelled tran- 
sition systems and bisimulation since the quotient space of all pointed labelled transition 
systems with respect to bisimulation, (X, rx), is obtained as the maximal-points space of 
D. We furthermore revealed the fine-structure of X, notably we proved that its topology 
Tx inherited from the Scott- and Lawson-topology of D is compact, zero-dimensional, and 
HausdorfF (a Stone space). In particular, rx is determined by a computationally meaning- 
ful, complete ultra-metric dx for which image-finite labelled transition systems approximate 
labelled transition systems to any degree of precision. Modulo refinement, (P, k) is image- 
finite for all k £ K(D), so this denseness also applies to modal transition systems for the 
Lawson-topology and its metric do. Thus our results unify denotational, operational, and 
metric semantics of labelled and modal transition systems. We finally derived consequences 
of this compact representation: a compactness theorem for Hennessy-Milner logic on com- 
pact sets of implementations, an abstract interpretation of compact sets of implementations 
as Scott-closed sets of modal transition systems, and a robust consistency measure for modal 
transition systems. 
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